Role in IT decision-making process:Align Business & IT GoalsCreate IT StrategyDetermine IT NeedsManage Vendor RelationshipsEvaluate/Specify Brands or VendorsOther RoleAuthorize PurchasesNot Involved

Work Phone:

Company:

Company Size:

Industry:

Street Address

City:

Zip/postal code

State/Province:

Country:

Occasionally, we send subscribers special offers from select partners. Would you like to receive these special partner offers via e-mail?YesNo

Your registration with Eweek will include the following free email newsletter(s):News & Views

By submitting your wireless number, you agree that eWEEK, its related properties, and vendor partners providing content you view may contact you using contact center technology. Your consent is not required to view content or use site features.

By clicking on the "Register" button below, I agree that I have carefully read the Terms of Service and the Privacy Policy and I agree to be legally bound by all such terms.

Apple macOS 10.12.3 and IOS 10.2.1 Fix Security Flaws

Apple issues its first security updates of 2017, fixing 18 security vulnerabilities in iOS and 11 security issues in macOS.

Apple released its first operating system updates of 2017 on Jan. 23, with the debut of macOS 10.12.3 on the desktop and IOS 10.2.1 for iPhone and iPad users. The updates are the first since December 2016, when Apple released macOS 10.12.2 and IOS 10.2.

The IOS 10.2.1 update provides patches for 18 vulnerabilities, while the macOS 10.12.13 releases patches 11 vulnerabilities. In the IOS update, 12 of the issues are in the WebKit web browser rendering engine. The WebKit flaws include issues that could have enabled data exfiltration and arbitrary code execution. Apple is also fixing the same 11 WebKit issues in its Safari 10.0.3 web browser which is available for macOS.

Additionally, there is an interesting WiFi vulnerability identified as CVE-2017-2351 that could have potentially enabled a locked device to show a user's home screen.

"An issue existed with handling user input that caused a device to present the home screen even when activation locked," Apple warns in its advisory.

Further reading

IOS 10.2.1 also addresses an auto unlock flaw identified as CVE-2017-2352 that is related to the use of an iPhone with an Apple Watch. According to Apple's description of the flaw, the auto unlock feature may unlock when Apple Watch is not on the user's wrist. The auto unlock capability with Apple Watch is intended to be a user convenience feature that will unlock a locked IOS or macOS device.

Both macOS and IOS are being patched for a pair of kernel vulnerabilities that could have potentially enabled an attacker to execute arbitrary code. CVE-2017-2370 is buffer overflow issue in the kernel, while CVE-2017-2360 is a use-after-free memory vulnerability in the kernel.

Apple macOS 10.12.3 also includes a patch for a vulnerability in the Help Viewer component, which is used by the desktop operating system to display help files.

Multiple researchers contributed bug reports to Apple, though it is Google's Project Zero research group that has the highest representation across both IOS and macOS updates. Eleven vulnerabilities in the Jan. 23 Apple updates are credited to Google Project Zero researchers. Three are credited to Ian Beer (CVE-2017-2370,CVE-2017-2360 and CVE-2017-2353), Ivan Fratic is also credited with three reports (CVE-2017-2362,CVE-2017-2373 and CVE-2017-2369). Google Project Zero researcher Jung Hoon Lee, who is known by the alias 'lokihardt', is credited with reporting four vulnerabilities (CVE-2017-2363, CVE-2017-2364, CVE-2017-2365 and CVE-2017-2371) that are patched by Apple this month.

In addition to the security fixes in the macOS 10.12.3 update, Apple is fixing multiple bugs that impact its new MacBook Pro that was released in October 2016. Among the fixes are improved automatic graphics switching and an update to resolve graphics issues related to Adobe Premiere Pro use on a MacBook Pro with Touch Bar.

Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.